Google Fixes Gmail Snoop Attack Hole

Google has fixed a serious security flaw in their free GMail service that would allow an attacker to obtain copies of a user's e-mail.

0shares

Google has fixed a serious security flaw in their free GMail service that would allow an attacker to obtain copies of a user's e-mail.

The attack was partially disclosed last week by researchers at GNUCITIZEN. They call it a "cross-site request forgery" and describe it as "a persistent backdoor within your GMail account and snoop onto all your conversations." Since the flaw was fixed by Google GNUCITIZEN released a proof of concept at the same link.

The attack works by silently installing a GMail filter through a silent Javascript post to GMail. First the user has to log in to GMail. Then they have to visit a malicious web site. The site then performs the post to GMail creating the filter, which stays active until deleted by the user. The filter can follow a rule, such as forwarding only mail with attachments.

GMail users should check the Filters page, accessible through Settings, to make sure no unauthorized entries are in there.

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service